The cyber attack on Latitude Financial has escalated significantly, with new evidence of “large-scale information theft” including passport and Medicare numbers of past and present customers.

Latitude Financial, a major non-bank lender of consumer credit in Australia, revealed last week that it was targeted with a “sophisticated and malicious cyber-attack”, with the data of 330,000 customers and applicants impacted.

But this has now become worse, with the company on Wednesday revealing that the number of people impacted is likely significantly higher.

“While to the best of our knowledge no compromised data has left Latitude’s systems since Thursday 16 March 2023, regrettably our review has uncovered further evidence of large-scale information theft affecting customers (past and present) and applicants across Australia and New Zealand,” a Latitude Financial update to the market said on Wednesday.

“Our people are working urgently to identify the total number of customers and applicants affected and the type of personal information that has been stolen.”

Initially, the company only revealed that driver licences had been stolen as part of the attack. But in an update to the market on Monday, Latitude Financial revealed that Medicare numbers and “copies of passports or passport numbers” had also been accessed by the cyber attackers.

According to the company, 96 per cent of the data breached was copies of driver licences or driver licence numbers, while less than four per cent was copies of passports or passport numbers, and less than one per cent was Medicare numbers.

It’s a significant escalation and follows the major cyber attacks on Optus and Medibank late last year.

The company has also said that the cyber attack “remains active”, and that it has taken its systems offline.

“Our focus remains firmly on containing this attack, progressing our forensic review of the actions taken by the attacker and restoring operational capability gradually over the coming days,” the company said.

Latitude Financial offers credit cards, personal loans and other forms of finance for customers including Harvey Norman, JB Hi-Fi, David Jones and the Good Guys.

The company has 2.8 million customer accounts.

Latitude has engaged external cyber security experts, the Australian Cyber Security Centre, and other relevant government agencies. The cyber attack is also now the subject of an Australian Federal Police investigation.

Latitude Financial CEO Ahmed Fahour, the former CEO of Australia Post, said the company is “working extremely hard” to restore its services.

“I sincerely apologise to our customers and partners for the distress and inconvenience this criminal act has caused,” Fahour said.

“I understand fully the wider concern that this cyber attack has created within the community. Our focus is on protecting the ongoing security of our customers, partners, employees personal and identity information while also doing everything we can to support customers and applicants who have had information stolen. We understand their frustration.”

Fahour is due to depart from the company in two weeks after announcing his resignation in August last year. He will be replaced by current Latitude Financial executive general manager of the money division Bob Belan.

IDCARE has also been engaged to provide free, confidential cyber incident information and assistance to those impacted by the breach.

The cyber attack on Latitude Financial has been labelled “ridiculous” by cybersecurity professionals.

It’s the latest in a line of significant recent major cyber attacks impacting millions of Australians.

Last year 9.8 million Optus customers had their data breached, with information including names, dates of birth, phone numbers, email address, physical address, driver licences and passport numbers.

Shortly after, private health insurer Medibank was also breached, with 9.7 million customers impacted.